diff --git a/.github/workflows/verify-k8s.yml b/.github/workflows/verify-k8s.yml index 216a0b932..19266e8c2 100644 --- a/.github/workflows/verify-k8s.yml +++ b/.github/workflows/verify-k8s.yml @@ -39,14 +39,31 @@ jobs: - name: Install kubeval run: go install github.com/instrumenta/kubeval@v0.16.1 - - name: Run kubeval for deployment - run: kubeval config/*.yaml + - run: kubeval config/*.yaml verify-k8s-deployment: runs-on: ubuntu-latest strategy: fail-fast: false # Keep running if one leg fails. - + matrix: + issuer: + - "OIDC Issuer" + - "Meta Issuer" + + include: + - issuer: "OIDC Issuer" + issuer-config: | + oidc-issuers: + https://kubernetes.default.svc: + issuer-url: https://kubernetes.default.svc + client-id: sigstore + type: kubernetes + - issuer: "Meta Issuer" + issuer-config: | + meta-issuers: + https://kubernetes.*.svc: + client-id: sigstore + type: kubernetes env: # https://github.com/google/go-containerregistry/pull/125 allows insecure registry for # '*.local' hostnames. This works both for `ko` and our own tag-to-digest resolution logic, @@ -104,6 +121,7 @@ jobs: port: 2112 targetPort: 2112 EOF + # Overwrite the configuration to be what we need for KinD. cat < config/fulcio-config.yaml apiVersion: v1 @@ -113,15 +131,9 @@ jobs: namespace: fulcio-system data: config.yaml: |- - oidc-issuers: - https://kubernetes.default.svc: - issuer-url: https://kubernetes.default.svc - client-id: sigstore - type: kubernetes - meta-issuers: - https://kubernetes.*.svc: - client-id: sigstore - type: kubernetes + { + ${{ matrix.issuer-config }} + } server.yaml: |- host: 0.0.0.0 port: 5555